[olug] OT: "Securing" a WinXP Home Edition Machine

Phil Brutsche phil at brutsche.us
Sat Feb 5 01:40:27 UTC 2005


Jake Churchill wrote:
> Black Ice for a firewall

IMO you should remove such thoughts from your head immediately.

You're taking the wrong standpoint in securing the machine.

By the time the malicious software has executed on the machine, it's
already too late, the firewall software is no longer functioning.  Ditto
for AV software and anti-spyware software.

You need to keep the malicious software from running in the first place,
which is *really* hard, considering some the tendency of some people to
download and install random "freeware".

The *best* way to protect a Windows machine is:
 * The built-in XP firewall is *more* than good enough, if you disagree
   get a Linksys tonka toy or the equivalent.  Most host-based firewalls
   are worthless and are trivially bypassed, especially when the user
   has admin rights (see bullet 3).
 * Up-to-date AV software.  Trend Micro is a good choice, and even works
   correctly when the user doesn't have admin rights ;) (once again
   bulllet 3)
 * Do not, under any circumstances, run with Admin privileges!

Do you do everything as root on your *NIX boxes?  No, you don't.  You
"su" or "sudo" to get root when you need it.

So why don't you do the same on a Windows box?  XP users can use FUS
(fast user switching) to switch over to an admin acount when you need to
install something.

It's not easy, considering the high number of clueless Windows
developers out there.  But I can speak for experience that is *highly*
effective at keeping a machine clean.  40+ Windows machines are under my
care, and over 3 years I have had *zero* spyware infestations.

-- 

Phil Brutsche
phil at brutsche.us



More information about the OLUG mailing list